VirusTotal
Connector Category: Enrichment Tool
About Integration
VirusTotal provides a collaborative service to promote information exchange and strengthen internet security. CTIX integrates with VirusTotal to analyze and add context to potentially malicious IPs, URLs, hashes, and domains. Analysts can utilize this data to detect malicious content coming into the application and take necessary actions to control a possible breach. Currently, CTIX supports integration with VirusTotal version 3 only.
Use Cases
Add context to suspicious or potentially malicious threat data from the feeds coming into the application.
Obtain information about threat locations and techniques utilized to disseminate threats.
Identify and track the source of malicious threat data and take proactive measures to prevent breaches.
Benefits
Perform extensive searches to appropriately map threat data for better detection.
Configure VirusTotal as an Enrichment Tool
Configure VirusTotal to enrich IPs, URLs, hashes, and domains.
Before you Start
Ensure that you have the API key of your VirusTotal account.
Ensure that you have the Update enrichment tools and policies, Create enrichment tools and policies, and View enrichment tools and policies permissions.
Steps
Navigate to Administration, select Enrichment Management, and select Enrichment Tools.
Search and select the VirusTotal V3 app.
Click Add Instance.
Enter a unique account name to identify the instance, such as Prod_VirusTotal.
Enter the base URL to directly connect to the application's server, such as
https://www.virustotal.com/api/v3.Enter the API key to make the necessary API calls between CTIX and VirusTotal servers.
Select Verify SSL to verify and secure the connection between the CTIX and VirusTotal servers.
If you disable this option, CTIX may configure an instance for an expired SSL certificate. This may not establish the connection properly and CTIX will not be able to notify you in case of a broken or improper connection. It is recommended to select this option.
Click Save.
After successfully adding an account, you can view and enable the VirusTotal feed enrichment types. You can also configure quota to define a limit to the number of enrichment requests CTIX makes to VirusTotal. After the quota expires, you can not make enrichment requests until the quota resets for the next quota duration. For more information, see Define Quota in Configure Enrichment Tools.
To understand the number of API calls and quota units consumed by the VirusTotal V3 enrichment tool, refer to the following table:
Enrichment Tool | Feed Enrichment Type | Number of API Calls | Quota Consumed |
|---|---|---|---|
VirusTotal | IP | 1 | 1 |
URL | 1 | 1 | |
Domain | 1 | 1 | |
Hash | 1 | 1 |
You can configure an enrichment policy to automatically enrich threat data objects using the VirusTotal enrichment tool. For more information, see Configure Enrichment Policy.